Nội dung Text: Network Address Translation (NAT)

Network Address Translation (NAT)
NAT was developed to address a couple of concerns. First, the number of public IP
addresses available on the Internet was becoming depleted. Second, because of the
interconnectivity of networks, it was possible for an administrator to assign a set of IP
addresses to a network that someone else might be using. This is a common situation
when two companies and their respective networks are combined. NAT addresses these
two concerns by providing a mechanism by which any number of IP addresses can be
translated to a different range of IP addresses, or in some cases a single or smaller range
of IP addresses.
To address the limitation of available IP addresses NAT can be used to translate hundreds
or even thousands of IP addresses to just a couple of IP addresses or even a single IP
address, thereby allowing a company to provide Internet access to their hosts without
needing to allocate thousands of IP addresses on the Internet to do so. To address the
issue of invalid networks, or in many cases duplicate networks, NAT can be used to
allow each network to appear as a completely different network. Figure 3-13 illustrates
the process of NAT and Internet connectivity.
Figure 3-13. Example of NAT and Internet Access
In this example, when Host A attempts to access the Internet, the firewall translates the
request from having a source address of 10.1.1.100 to having a source address of
209.165.201.10 and transmits the data across the Internet. The firewall then stores this
translation in its translation table so that it knows how to deal with the return traffic.
When host B receives the data, it thinks it is communicating with 209.165.201.10 and
addresses the return traffic accordingly. When the firewall receives the return traffic, it
refers back to its translation table and determines that the traffic should be delivered to

10.1.1.100. The firewall repackages the packet, this time changing the destination IP
address to be 10.1.1.100 and transmits it accordingly. In doing so, hosts A and B can
communicate with each other, for all intents and purposes completely unaware that NAT
is occurring.
Because NAT effectively hides the actual IP addresses that are in use, many networks
have elected to use it in conjunction with private IP addresses. Private IP addresses are
defined in RFC 1918 and are a predefined set of IP addresses that cannot be used on the
Internet and therefore are referred to as being nonroutable. Because NAT prevents
Internet-connected hosts from being able to ascertain what IP address is being used
behind a NAT router, organizations have elected to implement the private IP addresses so
that they can pretty much do whatever they want with them without concern with how
they may interact with the Internet or other networks. The RFC 1918 IP addresses are as
follows:
• 10.0.0.0/8
• 176.16.0.0/12
• 192.168.0.0/16
Note
RFC 3022 and RFC 2663 define NAT.
NAT Implementations
There are four primary NAT implementations. They all accomplish the same function,
the translating of traffic from one IP address to another, but they go about the translation
process in different manners. They are as follows:
• Static NAT Static NAT is sometimes referred to as traditional NAT, and refers to
the mapping of one IP address to another IP address. Consequently, static NAT
implementations require the same number of IP addresses as need to be translated.
For this reason, static NAT is not an effective method of saving the number of IP
addresses required for access to a network or the Internet.
• Dynamic NAT Dynamic NAT functions in a similar fashion to static NAT, but
instead of each IP address having a one-to-one translation, a dynamic pool of IP
address can be used for the translation. Doing so enables you to reduce the number
of IP addresses in use because the pool of addresses can be smaller than the total
number of IP addresses that must be translated.
• Port Address Translation Whereas static and dynamic NAT perform a translation

from IP address to another, Port Address Translation (PAT) allows for the
translation of a number of IP addresses to a single IP address. This is done by
translating requests by TCP or UDP port. The translating router or firewall builds
a NAT table, but instead of assigning an IP address for the outbound
communications, it assigns a port number. When the response comes back to that
port number, the translating router or firewall reverses the process.
• Bidirectional NAT In most cases, NAT is used to translate data in a single
direction, typically from an internal or protected network to an external or
unprotected network. Bidirectional NAT provides for the use of NAT regardless of
the direction of the traffic flow.
NAT and IPsec: The Issues and the Solutions
Although NAT works in most cases, not all traffic can be successfully translated (in
particular, when the original data cannot be manipulated, such as the case with IPsec).
The reason for this is that the NAT process actually changes the data packet while it is
being translated. Because of the nature of IPsec, when the data packet is rebuilt using
NAT, the receiving router detects that the data has been changed (the source IP address is
no longer the correct source IP address) and discards the packet. To address this, a
process known as NAT traversal (NAT-T) has been developed.
NAT-T encapsulates the complete IPsec packet into either a TCP or UDP packet, which
is then translated accordingly. By doing this, the traffic can be translated as required
without the original IPsec data being changed. Figure 3-14 illustrates the encapsulation
process and subsequent NAT.
Figure 3-14. NAT-T Encapsulation
[View full size image]
Note